By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Create a New AWS Account on LZA 1.11.2

0

Hello,

I am reaching out to seek your assistance regarding an issue we encountered after migrating our organization to LZA. Specifically, we are experiencing an error while attempting to create a new AWS account of type "dev" (our first account created after the migration). Below is the error message we received:

ASEA-SecurityResourcesStack-us-west-1 failed: Error: The stack named ASEA-SecurityResourcesStack-us-west-1 failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: NoAvailableConfigurationRecorder" (RequestToken: …)

Upon investigation, we discovered that the new AWS account does not have AWS Config enabled for the us-west-1 region, unlike our previous accounts. Upon checking AWS Control Tower, we noticed that this region is no longer activated, although it was previously enabled. We attempted to manually reactivate it via Control Tower, but this resulted in a different error, as the system attempted to activate it in accounts where it was already enabled, causing the process to fail.

The error seems to be related to the absence of a "Configuration Recorder," which is preventing the stack creation. Despite several attempts to resolve the issue, we have been unsuccessful in fixing the problem.

I would appreciate your guidance on how to resolve this issue and would like to know if there are any additional steps we can take to ensure AWS Config is properly set up in the us-west-1 region for new accounts created post-migration.

Additionally, we would like to mention that our home region is other than us-west-1 .

Thank you for your assistance. We look forward to your support in resolving this matter.

Topics
Management & GovernanceSecurity, Identity, & ComplianceInfrastructure as Code
Tags
AWS ConfigAWS Control TowerLanding Zone Accelerator on AWS
Language
English
Pierre
asked 20 days ago54 views
1 Answer
0

I apologize, but I don't have specific information about the issue you're experiencing with LZA 1.11.2 or the exact error you're encountering. However, I can provide some general guidance on account creation and troubleshooting in AWS environments.

For creating new AWS accounts, typically you would use AWS Service Catalog Account Factory if you're using AWS Control Tower. This process involves signing into your user portal, navigating to the AWS Account page, selecting the management account ID, and then using the Service Catalog console to launch the AWS Control Tower Account Factory product.

Regarding the issue with AWS Config not being enabled in the us-west-1 region for new accounts, this could be related to your Control Tower settings. Control Tower manages which regions are governed, and if us-west-1 is no longer activated, it may explain why AWS Config is not being set up there for new accounts.

For the specific error you're seeing with the ASEA-SecurityResourcesStack-us-west-1, it appears to be related to the absence of a Configuration Recorder. This is typically set up by AWS Config, so the root cause may indeed be that AWS Config is not properly enabled in that region.

To troubleshoot this issue:

  1. Check your Control Tower settings to ensure us-west-1 is properly activated if you need that region governed.
  2. Verify AWS Config settings in your management account and ensure it's properly set up for the regions you need.
  3. If you continue to encounter issues, you may need to reach out to AWS Support for more detailed assistance, as they would have more insight into your specific account configuration and the intricacies of LZA 1.11.2.

Remember that when creating new accounts or making significant changes to your AWS environment, it's important to ensure all prerequisites are met and that your settings align with your organizational requirements across all relevant regions.
Sources
Provision accounts with AWS Service Catalog Account Factory - AWS Control Tower
Troubleshooting issues with AWS account creation - AWS Account Management

profile picture
re:Post Agent
answered 20 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content